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LAYERED PRQTECTIOH SYSTEM 
FOR GQHPmPER'n mit n disk 

This application in part discloses and claims 
subject matter disclosed in our earlier filed pending 
application. Serial Number 07/378,549, filed July lo, 
1989. 

The U.S. Government has rights in this invention 
pursuant to Contract No. DE-AC05-840R21400 awarded by the 
U.S. Department of Energy contract with Martin Marietta 
Energy Systems, Inc. 

Technical Fieirt 

This invention relates to the field of coii?>uter 
disk security and more particularly concerns a multilevel 
system and device for preventing unauthorized access to 
such a computer disk. 

Backmround Ayt- 

In establishments using proprietary or classified 
information, especially in the government and military 
environments, microcomputers equipped with nonremovable 
"hard- disks are approved for handling sensitive 
information only in secured areas because sensitive 
information could be stored intentionally or 
inadvertently on the nonremovable "hard" disks. As a 
result, the sensitive information could be obtained by 
unauthorized individuals. Also, information that is 
legitimately stored on these nonremovable "hard" disks 
needs protection from inadvertent erasure or alteration. 
The effort of maintaining computers in an environment 
free from such undesirable occurrences as these naturally 
hampers productivity. However, productivity could be 
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signlf ican-tly incxeased if microcomputer's central 
processor could be accessed while verif iably preventing 
unauthorized access to the information stored on the 
co3iiputer's disk drives. Similar problems could also 
exist for computer users in private industry. 

The prior art made of record in the parent case is 
herein incorporated by reference , While some of the 
ed>ove referenced art addresses the problem of controlling 
access to the con^uter, the prior art relies on physical 
obstructions to the external openings to the drive bays 
or to keyed "on-off" switches. The art does not offer or 
suggest a system that simultaneously offers access to the 
processing capabilities of the computer while verif iably 
preventing access to the information stored in the 
protected disk drives. 

Accordingly^ it is an object of this invention to 
provide a mfultilayered system incorporating h2urdv£ure and 
software ^Aiicdi verif iably prevents undesirable access to 
a conputer's hard disk memory i^le allowing an operator 
to use the computer's central processor. 

It is another object of the present invention to 
provide a multilayered system incorporating hardware and 
software x^ich also prevents undesirable access to a 
computer's floppy disk drive (s) if such protection is 
warranted. 

It is another object of this invention to provide 
a mtultllayered security system xdiich maintains a status 
log of all protected disk checks and activities for 
purposes of routine security audit checks. 

It is another object of this invention to provide 
a multilayered security system which prevents "virus" 
contasdiiation. of protected drives. 

Other objects and advantages over the prior art 
will become apparent to those skilled in the art upon 
reading the detailed description together with the 
drawings as: described as follows. 
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Disclosure of the Invention 

In accordance with Vcirious features of the present 
invention, a layered protection system for a computer 
disk is provided wherein both read and write access to 
the hard disk of a computer are controlled and can be 
prevented on multiple cooperating levels. The layered 
protection system for a computer disk includes a hardware 
layer, wherein certain of the electrical wires which 
connect the computer to the disk controller are 
physically interrupted with a switching device inserted 
therebetween to reesteUolish the electrical connections 
only under controlled conditions. 

Maintaining administrative control of the key for 
the security switch comprises another cooperating level 
of controlling the access to the hard disk memory . 
Within the multilevel protection program of the preferred 
embodiment of the present invention, four operating modes 
are est£Jt>lished. The first such operating mode is a 
•"NORMAL" mode, wherein an operator can both read from and 
write to the hard disk memory of a computer. The second 
is a "READ ONLY" mode, wherein an operator ccm read from 
the hard disk but cannot write to it. The third mode is 
for "WRITE ONLY", wherein an operator can write data into 
the hard disk memory of a computer but cannot read from 
it. Finally, there is a "NEITHER" mode, herein an 
operator can neither read from nor write to the hard disk 
memory, but can still utilize all the other functions of 
the affected conq;>uter. 

The layered protection system also includes a 
software layer that verifies that the hardware is both 
functioning and in use. This software "lobks up" the 
system in the event of a failure on the psurt of the 
hardware. The software also initiates euid maintains a 
status log for security audit purposes. Administrative 
controls require the computer to be started with a "boot" 
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disk vbxcb contains the software layer. The software 
functions as a •'Terminate and stay Resident" (TSR) 
program. This allows the software to verify that the 
hardware is functioning and prevent unauthorized access 
to the hard disk while the operator is using the 
computer^ When the conqputer user is finished working in 
a classified environment the software is again utilized 
to verify that the protected disks have not been written 
to and to update the security audit status log. 

Brief Descripti on of tht* Prawing g 

The above mentioned features of the invention will 
become mc^e clearly understood from the following 
detailed description of the invention read together with 
the drawings in which: 

Figures lA, IB, and. IC are pictorial views of the 
coii^>anent8 pt an access restricting system. 

PigiMre 2 is a pictorial diagram of a typical 
switcdiing ^evice constructed in accordance with various 
features of the present invention. 

Figure 3 is a general schematic diagram of the 
electrical system of the access restricting system 
pictured in Figure l. 

Figure 4 is a detailed schematic diagram of the 
electrical system of the present invention. 

Figure 5 illustrates a flow diagram of the 
operational st^s of the software layer of the invention 
during the start-up in idiich the software verifies that 
the hardware is functioning prior to allowing the user 
acces^ to Uie computer. 

Figure 6 illustrates a flow diagram of operational 
st^s of the software in TSR mode and the steps in the 
"QUIT" portion of the software that verifies that no 
unauthorized changes have been made to the protected 
disks during the period of the operator's use. 
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Best Mode For Carr ying Out The Invention 

A layered protection system for a computer disk is 
illustrated plctorially in Figures lA, IB, and ic. 
Figure lA illustrates a key 34 and a lock means 28 that 
cooperate with a security switch 18 illustrated in Figure 
IB. These elements are shown as representing the 
"hardware" portion of the layered protection system for 
a conqputer disk. 

The mechanical components of the lock and switch 
means are well known in the art and are typical of the 
multiple-pole, multiple-throw locking electrical switch 
that can be obtained "off the shelve". Of importeuice is 
the manner, described herein, that the locking electrical 
switch is interfaced with the con^uter. it will be 
recognized by those skilled in the art that the switch 
18, with its key 34 and lock 28, can also be installed 
directly within the computer 30 or within a housing for 
fixed disk drive. The choice of location will depend 
upon the particular installation play for the present 
invention, the inqportant feature being to interrupt the 
communication between the hard disk and the computer. 

A perspective view of a typical embodiment of this 
hardware portion of the administrative control level is 
shown at 22 in Figure 2. This includes a housing 20 for 
the enclosure of the switch 18 (not shown in this 
figure) , this switch accepting the aforementioned key 34 
and lock 28. Illustrated are the various electrical 
cables 12, 14 that connect the switch with a disk drive 
controller and the disk drive itself. 

While a mechanical key and lock have been described 
and illustrated, it will of course be understood that an 
electronic or a digital security switch, which are well 
known in the art, will also provide a suitable means for 
preventing or allowing access. 

A general schematic diagram of the system of the 
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present InventdLon is illustrated in Figure 3. Here it 
can be seen that the cables 12, 14 are used to connect 
the hardware portion 22 of the administrative control 
level to a drive controller in a computer 30, or it can 
be a separate unit if desired. The switch 18 within the 
enclosure 20 is illustrated for convenience as a double- 
pole switch; however, as illiistrated in both Figure IB 
and Figure 4, this is a multi-pole, multi-throw switch. 
As discussed in greater detail hereinafter, only a 
portion of the electrical leads between the drive 
controller and the disk drive needs to be interrupted by 
the switch. The remaining electrical leads are 
designated at 40 in Figure 3. These leads 40 can either 
bypass the ^housing 20 or can be routed therethrough. 

A detailed schematic diagram of the haurdware system 
of the administrative control of the present invention is 
shown in Figure 4. As stated above, the switch 18 is 
typically a multi-pole, multi-throw type. The switch has 
an ii^icator 80 ^ich will indicate the position of the 
switch in the following positions, which are discussed 
below: ^NOHMAL", "RBAD ONLY", "WRITE ONLY", AND 
"NEITHER". In the preferred embodiment, the key-out 
position, ir^*, the only position in which the key can be 
removed, i^ the neither position. 

The -specific wires to be interrupted by being 
connected to switch 18 include the wires to at least a 
"Drive Select", a "^ite Gate", a "Write Enable", a "Read 
Gate", and two "Write Data" lines, in which the total 
travel distance added by the switching device 22 and 
input and output leads for data transmission between the 
computer 30 and the hard disk 32 drive are preferably of 
equal length £md preferably no longer than five feet, in 
order, to maintain correct timing for data transmitted 
throu^ the switching device 22. 

Referring next to the schematic diagram of Figure 
4, it will ; be observed that in the "NORMAL" operating 



wo 91/01065 



PCrAJS90/03865 



7 



position, the hard disk memory can be both written to and 
read from so that the full and coii?)lete capabilities of 
the computer and its associated hard disk memory are 
available to the operator. When key 34 is inserted and 
switch 18 operated to the "READ ONLY" mode, the line 
labelled "WRITE DATA +- is open-circuited by contacts 1 
and 2, the line labelled "WRITE DATA -" is open-circuited 
by contacts 3 and 4 and the "WRITE GATE" line is open- 
circuited between contacts 7 and 9 of switch 18A, 
precluding any possibility of writing to (storing data 
on) the hard disk memory. In the "WRITE ONLY" position 
of the switch 18, the "READ GATE" lines are open- 
circuited by contacts 5 and 6 of section B of switch 18, 
as shown, so that no data stored on the hard disk memory 
can be read. In the "NEITHER" position of the switch, 
the three lines labeled "WRITE FAXJLT", "DRIVE SELECT 1", 
and "DRIVE SELECT 2" are disabled by being electrically 
connected through contacts 7 and 8 of switch 18A to the 
"WRITE GATE" line through isolating diodes 38. 

It will be recognized by those skilled in the art 
that this is necessary to avoid the pick-up or generation 
of noise in the open leads. Simultaneously, the "WRITE 
GATE" line is again open-circuited between contacts 7 and 
9 of switch 18A as described above. 

Of course, it will also be apparent to those 
skilled in the art that, in another embodiment of the 
present invention, existing cables to a computer to be 
modified with the present invention can be replaced by 
wholly fabricated replacement cables with the switching 
device of the present invention manufactured in place as 
an integral part of such replacement cables. 
Furtherjsore, as has already been mentioned, security 
switch 18 or its equivalent can be mounted or attached in 
some location other than that exemplified, such as 
directly on the circuit board of the controller or disk 
drive, for instcuice. 



WO91/010(i5 



PCr/US90/03865 



8 

. In the preferred embodiiaent, the softweure layer of 
the present invention is utilized to verify that the 
hardware is functioning to disable the disk controller. 
This lay^ verifies that a protected disk is indeed 
protected. 

The - flow diagrams depicted in Figs. 6 and 7 
illustrate the operation of the software system in the 
pref ^nried dmbodiment. 

While the flow diagrams can be easily read by those 
skilled in; the art, the system operation based on the 
rules depicted in the diagrams will be discussed. 
However, i% will be noted that the flow diagrams depict 
preferred : operational embodiments. The specific 
references are enclosed as exanples only, and are not 
intended to limit the scope of the invention. 

Initially, the operator disengages the computer 
from any and all unclassified connections, e.g. a 
network, a^ the key 34 is removed from the switch 18 as 
indicated 4t 120 "configure for protective mode". The 
operator then inserts the boot disk which contains the 
software l^vel of the security system and turns the 
coB^uter oh. The "autoexec.bat" file contained on the 
boot disk activates the "protect" program. The "protect" 
program cah be initiated to protect all drives, all 
drives except a given drive, or any specifically 
designated drive (s) . For purposes of illustration the 
flow diagram designates drive "n" as any given drive. 

The prpgram then initiates the status log record at 
125. The audit record status is set at zero (0) at 126 
and the keyboard is locked at 127. While the audit 
record status can be designated as any given set of 
values, in the preferred, illustrated embodiment the 
values shovjtn in Table l are used. 
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Y^lue Meaning . 

0 Start-up not completed; Quit not run. 

1 Failure during stjurt-up. 

I Start-up successfully run; Quit not run. 

A Jj^ite attempt to protected drive during operation. 

4 Test failure during operation. i^ation. 

5 Test failure during running Quit. 
^ SoLutS?^^"^^^ session end; there were no 

Table Z 



The system then identifies the first protected 
drive and determines if that drive is indeed protected at 
130. In the event that the drive is not protected, this 
result is displayed at 135 and the audit record status is 
updated to one (i) . The operator is prompted to 
reconfigure for protected mode and instructed that the 
software will reboot the system in a preselected amount 
Of time. In the illustrated preferred embodiment the 
system reboots in about fifteen (15) seconds. This 
causes the "Protect" program to be reactivated at 124. 
If drive "n" passes the initial test at 130, that result 
is displayed and the program repeats 130 for each 
protected drive. When the last protected drive passes 
the initial test at 130, the audit record status is 
updated to two (2) and the display notifies the user that 
the test of the protected drives is complete. The boot 
record, the Pile Allocation Table (FAT) and the checksums 
of each protected drive is copied to the boot disk at 
140. The protect program enters a "terminate and stay 
resident" (TSR) mode and the key board is unlocked at 
145. Those skilled in the art will recognize that the 
locking of the keyboard at 127 and the unlocking of the 
keyboard at 145 is an internal feature of the software 
and is not to be confused with the locking electrical 
switch described £ibove. 

At this point the operator has conqalete use of the 
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processing capabilities of the cosqDuter. The TSR protect 
program continually monitors at 150 any attempt to vrlte 
to a protected disk., mien such an attempt Is detected at 
155, tl\e operator Is prompted to reinsert the boot disk, 
the audit record status is updated to 3 • The operator is 
prompted to reconfigure for protected mode and Instructed 
that the software will reboot the system in a preselected 
amount of time. In the Illustrated preferred embodiment 
the system reboots in 2dx>ut fifteen (15) seconds. This 
relnltlateis the '■Protect'* program at 124. 

When the user is finished operating in a classified 
environrnt^rxt the user xoust reinseirt the boot disk and 
execute the ••Quit"' program. The "Quit" program compares 
the cunrent boot record, the cuirrent FAT, and the current 
checksixms with those saved on the boot disk. If the 
recorjds are the same, the audit record status is updated 
to itine (9) . The system locks the keyboard and displays 
the test results at 164. In the preferred embodiment, 
the system displays: 

Checksum test complete . Sanitize the 
system; be sure to power down and remove all 
classified materials. 
At this time the system must be powered down. 

If the current records are different than the 
records saved on the boot disk, the audit record status 
is updat^ to five (5). The keyboard is locked and the 
systeni notifies the user of the failure. in the 
prefcorred ^embodiment, the system displays: 

FAILURE : Drive "n" failed the checksum 
[boot, or FAT] test. CONTACT YOUR DIVISION 
COUFDTER SECURITY OFFICER (CSO) IMMEDIATELY. 
At this ^.ime the system must be powered down. 

From the foregoing description , it will be 
recognized by those skilled in the art that a layered 
protection system for a computer disk offering advantages 
over the prior art has been provided. Specifically, the 
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layered protection system for a conputer disk provides a 
multilayered system incorporating hardware and software 
which verifiably prevents undesirable access to a 
coit5)uter's hard disk, and if warranted the system further 
prevents undesirable access to a computer's floppy disk 
drive (s), while allowing an operator to use the 
computer's centaral processor. The system maintains a 
status log of all protected disk checks and activities 
for purposes of routine security audit checks, it will 
be obvious to those skilled in the art that while in the 
protected mode the system also prevents "virus" 
contamination of protected drives. 

miile a preferred embodiment has been shown and 
described, it will be understood that it is not intended 
to limit the disclosure, but rather it is intended to 
cover all modifications and alternate methods falling 
within the spirit and the scope of the invention as 
defined in the appended claims. 
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Having thus described the aforementioned invention. 
We claim: 

1. A layered protection system for controlling 
access to a hard disk memory system from a disk drive 
controller of a computer system, which comprises: 

a switch me£ins connected between said disk drive 
controller and said disk memory system, said switch mecuis 
having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

lock mecins associated with said switch means to 
selectivelj" inhibit access to a protected disk drive's 
operation via said switch means; and 

means for selectively operating said lock meems 
f or Eidministrative control of accessing said disk memory 
system frcm said disk drive controller. 

2. The layered protection system of Claim 1 
wherein said switch means and said lock means associated 
with said switch means are mounted in a housing separate 
from said disk drive controller and said hard disk memory 
system. , 

3. The layered protection system of Claim 1 
wherein said switch means and said lock means associated 
with said a^witch meems are mounted on the same printed 
circuit board as other electronic components of said disk 
drive controller. 

4. The layered protection system of Claim 1 
\Aerein said switch means and said lock meems associated 
with said switch means are mounted in a housing 
containing said heard disk memory system. 
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5. The layered protection system of Claim i 
urtierein said switch means is a rotaary switch member 
having a plurality of selected rotary positions whereby 
said means for accessing said contacts is a rotary shaft 
carrying moving contacts thereby, at a given rotary 
position, a selected number of said rotary contacts 
interact with a selected number of said contact means for 
selectively connecting selective of said electrical 
circuits joining said hard disk memory system and said 
disk drive controller. 

6. The layered protection system of Claim 5 
wherein said plurality of rotary positions provides for 
at least operation in an unprotected mode wherein a disk 
in said protected disk drive may be read from and. written 
to; operation in a mode allowing a disk in said protected 
disk drive to be read from but not written to; operation 
in a mode allowing a disk in said protected disk drive to 
be written to but not read from and operation in a mode 
wherein a disk in said disk drive can neither be read 
from nor written to. 

7. A layered protection system for controlling 
access to a computer's disk memory system from a disk 
drive controller of a con5>uter system, ^thlth comprises: 

a switch means connected between said disk drive 
controller and said disk memory system, said switch means 
having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

locv means associated with said switch means to 
selectively inhibit access to a protected disk drive's 
operation via said switch means; 
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means for selectively operating said lock mezuis for 
administrative control of accessing said disk memory 
system from said disk drive controller; 

hardware verification means whereby said switch 
means is tested to insure that said switch means is 
selectively operated to disallow access to said protected 
disk drive j and is operable; 

protected disk drive selection means for 
selectively controlling which said disk drive is to be 
protected; cmd 

protected disk drive identification means for 
determining which of said computer's said disks are 
protected. 

8- The layered protection system of Claim 7 
wherein said layered system further comprises: 

statiis audit means hereby security status of said 
protected disks is recorded for security audit purposes. 

9 . The layered protection system of Claim 7 
herein said layered system further comprises: 

access inhibiting means whereby tinauthorized 
attempts to access said protected disk drive are 
obstmcted. 

10. The layered protection system of Claim 7 
wherein said layered system further coii^rises: 

ncm-access verification means whereby said layered 
protection system can verify that no access to said 
protected disk drives has been allowed* 

11. A layered protection system for controlling 
access to a computer's disk memory system from a disk 
drive controller of a conputer system, which conqprises: 

a switch means connected between said disk drive 
controll^ and said disk memory system, said switch means 
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having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

lock means associated with said switch means to 
selectively inhibit access to a protected disk drive's 
operation via said switch means; 

means for selectively operating said lock means for 
administrative control of accessing said disk memory 
system from said disk drive controller; 

hardware verification means whereby said switch 
means is tested to insure that said switch means is 
selectively operated to disallow access to said protected 
disk drive and is operable; 

protected disk drive selection means for 
selectively controlling which said disk drive is to be 
protected; 

protected disk drive identification means for 
determining vdiich of said computer's said disk drives are 
protected; 

status audit means whereby security status of said 
protected disk drives is recorded for security audit 
purposes; 

access inhibiting means whereby unauthorized 
attempts to access said protected disk drive are 
obstructed; and 

non-access verification means whereby said layered 
protection system can verify that no access to said 
protected disk drives has been allowed. 
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